How to secure a solid manufacturing recovery from the crises
During the pandemic, manufacturers turned to digital technology to continue producing, shipping, and operating—often accelerating multiyear automation plans in weeks.
Manufacturers face three special 4IR-related cyber challenges: expanding attack surface, explosion in data responsibilities, and uncoordinated, disconnected teams.
For a stronger cyber future, manufacturers should visualize their expanding attack surface in real-time using advanced tools, strengthen data protection and privacy, and build a connected cyber culture throughout their organization.
Eighty-seven percent of business leaders of industrial products companies agreed that 4IR technologies give companies a competitive advantage, and 79% agreed it creates new revenue streams, according to a multi-nation PwC survey on 4IR adoption.
In fact, manufacturers that have deployed 4IR technologies in recent years were quick to respond to closures of factories, warehouses, and offices. They rapidly shifted to remote working, virtually tracking assets (such as manufacturing operations and logistics) and automating (via artificial intelligence (AI), internet of things (IoT), robotics and robotic process automation).
But this hasn’t been without risks. During the pandemic, cyber attacks rose and they’re expected to remain elevated during recovery. Even before the pandemic, over half of business leaders surveyed (55%) acknowledged that 4IR technologies “increase security risks” according to PwC’s 4IR adoption survey.
The crisis isn’t a good time to let up on cybersecurity and privacy. Nearly three-quarters of CFOs of industrial products companies PwC surveyed in May 2020 expected to cancel or defer planned investments across their business (e.g., operations, workforce, general capex). But just 2% of those CFOs said they planned to cancel/defer planned investments in cybersecurity and data privacy initiatives and just 15% planned to cancel/defer digital transformation.
Business leaders don’t need to be convinced to do the right thing, but they need help to decide where to focus their efforts and dollars to get the maximum benefit. PwC and the National Association of Manufacturers (NAM) highlight the three most important things to get on a path for a stronger cyber future.
Q. What is the impact of 4IR tech on your business or operations (industrial manufacturing respondents)?
Manufacturing has long been a much-coveted target of cybercrime, observes the 2020 Data Breach Investigations Report by Verizon. The expansion of IoT-connected devices makes the industry an even more attractive target for exploitation by cybercriminals and nation-state actors.
And yet, about two-third of businesses surveyed estimate that at least half of all devices in their enterprise networks are either unmanaged or are IoT-based, according to a Forrester Research study. Unmanaged and IoT devices communicate with other areas of an enterprise, but they are not secured by traditional security tools and can, therefore, be entry points for cybersecurity exploits.
Vulnerabilities are everywhere: at the enterprise level, including computer networks, operating systems, servers and the cloud. Increasingly, entry points are proliferating outside traditional IT domains on myriad fronts, including IoT-embedded manufacturing machinery, surveillance systems (webcams, smart security systems), routers, USB drives, HVAC and lighting systems, and even printers. It’s important to also consider all back-office, non-production systems, such as those managing inventory, order fulfilment, accounting and supply chain logistics. Thinking beyond operations also involves vulnerabilities in the supply chain and other third and fourth parties.
The consequences of neglecting all these are significant. Industrial espionage and intellectual property theft blunt a manufacturer’s competitive advantage. Remote disabling of machines and systems, costly production or shipment delays, or theft of customer information can lead to reputational damage. Exploits can even jeopardize worker safety.
“Small and medium-sized enterprises often face challenges of simply knowing what’s on their network that can be compromised. They lack a strong asset management program. Patching and updating security are also problems for many. It’s 2020, but it’s still a massive problem.”
In a 4IR world, manufacturers are making products that will collect or transmit consumers’ financial information, identity data, biometric data, or even geographic location—in the name of better quality and better service.
Consumer data is no longer someone else’s problem for industrial manufacturers (IM) and engineering and construction (E&C) companies. Forty percent of manufacturers (IM) have IoT systems that interact directly with consumers, collecting their data. For companies active in mobility or the utility sector, their business model increasingly lives off consumer data. E&C companies meanwhile are ramping up smart infrastructure and smart city initiatives—which all run on consumer data. It's also important to appreciate these different types of data (e.g., consumer data, business-to-business data or data collected on shop floors) and that each type requires tailored protection and security strategies and protocols.
Even if the manufacturer doesn’t sell directly to consumers, their customers do—and those clients need their products to securely gather and store consumer data.
Eighty-five percent of consumers around the world wish there were more companies they could trust with their data, according to PwC’s consumers survey on trust in technology. Eighty-three percent want more control over their own data.
Manufacturers’ responsibilities for their connected products are considerably greater than they were for legacy analog items. Those responsibilities go beyond a product’s physical integrity, and, perhaps even more important, encompass the digital integrity of that product.
“We have a third-party vendor test our products for cybersecurity proofing. And, when we purchase IoT products for our operations, we carry out strict oversights into how secure those products are, and we ask vendors to carry out an audit to demonstrate the strength of cyber controls in their products. Deep thought should be made into these decisions around acquiring connected products.”
As manufacturers introduce more connected devices and machines throughout their enterprise, it’s not always clear precisely who—the information technology (IT) team or the operational technology team (OT)—should be charged with oversight of digital devices and information systems. The answer? Both teams should be working in tandem.
Increasingly, manufacturers are experiencing growing pains merging these two teams. They have different mandates, priorities, concerns and skills. They also work with different security protocols and infrastructures. As 4IR tech deployment forges ahead, the security roles of traditional IT departments (e.g., securing computer networks, patching emerging vulnerabilities and performing regular security software upgrades) need to converge more closely with their counterparts in operational technology.
“In the past, with many producers of connected products, security was either underappreciated or seen as too expensive and involved—or even overkill. So, many manufacturers lagged on this front. Now, building cybersecurity into the life cycle of a product is pretty much mainstreamed.”
You can’t protect what you don’t see. Sixty percent of manufacturing companies reported they have created a full inventory of their connected assets over the last five years, according to PwC’s Digital Trust Insights study on resilience. But less than a quarter have automated an evergreen visibility into key assets and dependencies across their enterprise.
Here’s a significant opportunity: Platforms that use automation, analytics and visualization are now available to deliver an always-current view of critical business services and the underlying IT assets required to deliver them. A single view helps align stakeholders so they can improve operational performance and resolve issues that otherwise introduce risk. Manual, out-of-date, and incomplete views of critical business services are no match for the rapid pace of technology deployment and change.
Such technologies help defend the organization against constant threats. PwC’s Terrain Insights includes a powerful scoring mechanism that lets you measure and manage the resilience of your critical business services. It’s a business-centric view that brings stakeholders in IT, business side, cyber and risk together to quickly spot and remediate issues before they disrupt business operations.
Creating an evergreen inventory of assets and critical business services will highlight the need for some organizations to retrofit devices and systems. “There are many older devices—such as transformer or voltage regulators on the electrical grid in the utilities sector—that are three decades old and require new electronic control hardware to accommodate the increased sophistication of cybersecurity attacks,” said Michael Regelski, senior vice president and chief technology officer, Eaton (electrical sector), in an interview with PwC. “So, there will be a need for an enormous amount of investment to retrofit obsolete hardware to make it secure with today’s cybersecurity technology.”
Ready to take stock of vulnerable entry points to your organization?
Download the full version of the article for checklists and more.
Even before the pandemic, about one-third (36%) said that taking initiatives to ensure data privacy and security was their number-one priority in successfully adopting 4IR technologies in their organizations, according to PwC’s 4IR adoption survey.
What’s needed, however, is a new mindset that puts trust at the center of all the decisions that lead up to the implementation of these technologies, whether used internally or marketed externally. Issues such as communicating a data breach to customers or disclosing any algorithmic decision-making embedded in a product or service will become even more critical when companies are competing for customer loyalty and protecting their brand’s value.
Producers of connected products—whether a smart refrigerator or an internet-connected home security system—are increasingly expected to develop such products with a “privacy-by-design” and “security-by-design” mindset. Within companies, technology, legal, IT, OT and sales specialists must work together to oversee accountability and governance related to data security and management. Producers need to look at the entire life cycle of a product, especially since many IoT-driven devices collect data that monitors personal behavior—from location tracking to health conditions to home energy and appliance use, to name a few.
Increase trust with privacy assurance. It’s critical to communicate a clear and consistent story to the market, which is demanding disclosures about privacy programs and practices. Consider using a standardized control reporting framework (e.g., SOC2) as the foundation for your privacy disclosures, as the data privacy rules continue to evolve around the world.
Ready to assess how well your organization preserves customer trust?
Download the full version of the article for checklists and more.
In many manufacturing enterprises, the IT and OT teams are still relatively distinct and siloed, which can create disconnects. OT specialists are increasingly deploying digital technology (including sensors, cameras and other digitized data-gathering devices) to monitor and control industrial production processes and conditions (e.g., controlling engines, conveyors, robots or valves, and monitoring the pressure and temperature of equipment and components).
Such deployments are often connected to the enterprise network—sometimes without the knowledge or oversight of IT specialists, who need to be aware of the security standards of such deployments. This lack of collaboration potentially creates vulnerable entry points.
Merging IT and OT is a significant change for manufacturers. To close the IT-OT gap, you’ll need to define organizational roles and responsibilities for each team—and new touch points for collaboration.
Enlist diverse experts across the organization to rally behind security, including those who are needed to uphold privacy- and security-by-design principles throughout the product life cycle.
“A lot of smaller companies don’t even have cyber representation in their ranks. They need, as a first step, to assess their own in-house IT and OT talent and assign cyber responsibilities across the enterprise to champion it and oversee it—or acquire new talent from the outside to do so.”
Ready to build a stronger cybersecurity culture?
Download the full version of the article for checklists and more.
Industrial Manufacturing Leader, PwC US
Principal, Consulting Solutions, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US